Details
Description
Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Pypi changed to denying http requests entirely instead of redirecting to
https. (I guess? I don't really understand)
Without this patch:
root@derpderp:~# cat foo.pp
package
root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds
So this breaks any puppet 3.x using the default pip provider.
With this patch, it just works.
Attachments
Issue Links
- is duplicated by
-
PUP-6444 Python PIP provider version => latest stopped working for everyone pre-4.5.2
-
- Closed
-